Twitter OAuth in C++ for Win32

There seems to be lackluster support for Twitter in the C++ community.  I haven’t yet seen a single Twitter client for Windows written in C++ that was… acceptable.

Accessing the Twitter API using Basic Authentication is pretty straightforward, however Basic Authentication is going to be turned off (dead link) on August 16th, 2010 (last I checked), and after that will require all applications to use OAuth.

Having looked into what it would take to implement OAuth, I’m not surprised that few people have jumped at the opportunity to do so.  I had to scrounge around the net for several hours in order to piece together the necessary information and code required to implement bare bones OAuth functionality in C++, it’s fairly involved, and not at all well documented.

Existing Libraries

There are currently only two C++ Twitter libraries listed on Twitter’s library list, QTwitLib, and Twitcurl.  Neither appears to be under active development, they’re both GPL (which I’m not a big fan of), QTwitLib uses Qt (which I’m not a big fan of), and neither support OAuth anyway.

There is only one C++ OAuth library, liboauth, listed on Twitter’s OAuth library list, and it requires OpenSSL or Mozilla’s NSS.  OpenSSL requires Perl and NASM to be installed to build, and while I haven’t looked at NSS much, it doesn’t appear to be sync-and-go either.  At least liboauth is available under an MIT License, so this is something I might return to later.  It might be possible to remove HTTPS support and drop the dependencies without too much headache.

The Solution

So the perfectly rational (and conveniently most interesting) solution, is to try and write up some OAuth code from scratch… or from bits and pieces anyway.  Be warned, this isn’t going to be pretty.

Register Your App

The project should work out of the box, as I’ve included test keys registered to me that will work just fine, however if you’re going to alter the program at all, it would be better to register your own application that way I won’t get all the credit/blame, it’s quick and easy.

Log into Twitter’s website and hit their Register An Application page.  Choose a name for your app (you can change it later), and it can’t include the word “twitter”.  Select “Client” not “Browser”, choose “Read & Write” (if you want to be able to post), and you can leave “Use Twitter for login” unchecked.

Once your application is created, make a note of the Consumer Key and Consumer Secret, these can be found under the Application Detail link from the application edit page.  These values uniquely identify your program to Twitter.

Download The Code

The example project and source files are available on Google Code github.

The code is C++ for Win32, with a Visual Studio 2008 project file.

Use The Code

The code I’ve provided is not great and only superficially tested, please do not actually use it for anything, although you’re free to do so at your own risk.  I wrote it mostly in a single 8 hour stretch on a Friday night (yay Dr. Pepper), all the while googling for docs and samples on OAuth, and trying to figure out how to calculate an HMAC-SH1 hash.  That being said, it does work more or less.

Take your Consumer Key and Consumer Secret you got when you registered your app, and plug them into the similarly named variables at the top of tc2.cpp:

wstring ConsumerKey = L"abc";
wstring ConsumerSecret = L"ABC";

At this point you should be able to compile and run the program.  I didn’t originally intend for it to have a user interface at all, so I recommend running it in Debug mode under a debugger, as helpful trace information is displayed in the debug output window.

  1. When you run the application, it will attempt to connect to twitter, launch the Twitter authorization page in your web browser, and then prompt you on the console to enter the PIN that will be provided to you on the Twitter website.
  2. Go to your browser (it may not come to the foreground automatically) and find the authorization page that may have opened in a new tab.  If your browser didn’t load the authorization page at all, look in the console window for “Launching …” and copy and paste the entire URL into your browser.
  3. On the authorization page, Allow your application access to your Twitter account, after which you will be provided the PIN.
  4. Type the pin into the console app and hit Enter.  The app will display the authorization information, and then request your user timeline, dumping it in XML on the console.

Now that you’ve gone through this process once, the program will have saved your authorization to a file called tc2_saved.txt in the current directory (probably the project directory).  The next time you run the program, instead of re-authorizing with Twitter, it will simply re-load access token that was saved last time, and access your user time-line directly.

If you want to re-run the authorization flow, just delete tc2_saved.txt.

Anyone that has access to the contents of the saved authorization file can post as you on Twitter. This also goes for debug traces or other output that includes any access tokens and secrets.

High Level Flow

Stepping through the code will be the best way to figure it out, the app isn’t that big so it won’t take too long, but I’ll try to give a general overview of what’s going on.

OAuthWebRequest is the workhorse of the example application, every request we make to the Twitter API is through this function.

  1. We call OAuthWebRequest on, providing only our Consumer Key and Consumer Secret.  The reply from request_token gives us a temporary Request Token consisting of “oauth_token” and “oauth_token_secret”.
  2. We launch a web browser to and pass in the value of “oauth_token”.  The user authorizes the app and they are given a PIN number which they enter into our app.
  3. We call OAuthWebRequest on providing our temporary Request Token plus the PIN number we got from the user, and we get back our permanent Access Token values, “oauth_token” and “oauth_token_secret”.  We save our Access Token to disk for future use.
  4. We can now call OAuthWebRequest whenever we want to access the Twitter API as the authorized user by using the saved Access Token.  In the example, we just request the user’s main timeline at and then dump it to the screen.

However most of the “OAuth stuff” happens in BuildSignedOAuthParameters which generates all of the additional information that makes an OAuth request what it is, and not just another HTTP call.

I’ll leave things at that for now, and may go over the code in more thorough details in a follow up post, or on the Google Code project wiki.

Update: Continue to Part 2